selinux: make mls_compute_sid always polyinstantiate
authorEamon Walsh <ewalsh@tycho.nsa.gov>
Thu, 24 Jan 2008 20:30:52 +0000 (15:30 -0500)
committerJames Morris <jmorris@namei.org>
Fri, 25 Jan 2008 00:29:56 +0000 (11:29 +1100)
This patch removes the requirement that the new and related object types
differ in order to polyinstantiate by MLS level.  This allows MLS
polyinstantiation to occur in the absence of explicit type_member rules or
when the type has not changed.

Potential users of this support include pam_namespace.so (directory
polyinstantiation) and the SELinux X support (property polyinstantiation).

Signed-off-by: Eamon Walsh <ewalsh@tycho.nsa.gov>
Acked-by: Stephen Smalley <sds@tycho.nsa.gov>
Signed-off-by: James Morris <jmorris@namei.org>
security/selinux/ss/mls.c

index fb5d70a6628dfe79a31a5209f20e38eccdc00bbc..3bbcb5369af9eb6ae2f230a2b0d0ea5099a55273 100644 (file)
@@ -537,15 +537,8 @@ int mls_compute_sid(struct context *scontext,
                        /* Use the process effective MLS attributes. */
                        return mls_context_cpy_low(newcontext, scontext);
        case AVTAB_MEMBER:
-               /* Only polyinstantiate the MLS attributes if
-                  the type is being polyinstantiated */
-               if (newcontext->type != tcontext->type) {
-                       /* Use the process effective MLS attributes. */
-                       return mls_context_cpy_low(newcontext, scontext);
-               } else {
-                       /* Use the related object MLS attributes. */
-                       return mls_context_cpy(newcontext, tcontext);
-               }
+               /* Use the process effective MLS attributes. */
+               return mls_context_cpy_low(newcontext, scontext);
        default:
                return -EINVAL;
        }